Skip to main content

The Path to MSSP

(Image credit: Image Credit: Den Rise / Shutterstock)

This year, we have seen cybersecurity become a top boardroom priority thanks to the unprecedented rise in high-profile data breaches, hacks, and attacks. Petya and the recent BadRabbit ransomware attack have made waves throughout the cybersecurity ecosystem, demonstrating that any business can be a target, regardless of vertical, sector, or size. The likes of Uber® and Equifax® have only added fuel to the fire, further highlighting just how underprepared the modern-day enterprise is when it comes to cybersecurity.

However, it’s not all doom and gloom, as this cybersecurity unpreparedness presents opportunities for today’s managed service providers (MSPs). The biggest and most lucrative of these opportunities is the chance for MSPs to become managed security service providers (MSSPs).  

But with some MSPs offering security services, why haven’t they made the leap to MSSP sooner, and reaped the rewards the tumultuous cybersecurity landscape has to offer? Although MSPs recognise they need to do more to tackle cybersecurity, in reality, the path to MSSP isn’t an easy one. Firstly, MSPs are unsure what the MSSP title really means. Furthermore, MSPs are in the dark when it comes to the responsibilities that come with the moniker, and if the title even holds any weight.    

But what exactly does becoming an MSSP entail? And how do MSPs make the transition? 

Getting to grips with the basics    

While “Managed Security Services Provider” should be seen as a coveted title, it’s often referenced as a casual description of a security IT provider. But it should be considered an earned title that suggests defined security capabilities and levels of reliability, above and beyond those levels of service expected of typical providers.  

Yet, a small number of MSPs have already self-proclaimed themselves as MSSPs without considering what it means or whether they fulfill some of the requirements. Much of the confusion is down to a lack of knowledge on the capabilities and services that qualify a service provider to operate as an MSSP. While there is a general appreciation that being an MSSP requires certain qualifications, processes, advanced technical capabilities, and resources, knowing exactly which of these are needed is often misunderstood.   

Putting the ‘S’ in MSSP 

To make the transition to MSSP, service providers need to be able to offer four key security services: infrastructure, data security, risk and vulnerability management, and identity and access management. Nonetheless, as most MSPs are already managing business risk for their customers, managing security risk would not require them to start from scratch. By only adopting security risk management and integrating it as part of their business risk management, MSPs should be able to quickly offer security services to be well on the path to becoming a full-service MSSP. 

Even so, part of the efficacy of this requires these services be delivered efficiently, and requires MSPs to be highly proficient in the following three areas:   

  • Knowledge: Having equally strong knowledge and expertise in areas such as assessment, management, monitoring, mitigation, identification of issues, and recovery. 
  • Organisational ability: The creation of robust internal processes covering reporting, tracking, and management procedures. 
  • Technology tools and resources: Knowing how to select and best use the tools available, which comes from prudent staffing, as well as proper training and certification programmes across all tools, software, and resources.   

Just as being a highly valued MSP requires providers to deliver an inclusive portfolio of services in a reliable, expert, and organised manner, moving towards being an MSSP requires their portfolio to extend and include security offerings at the same level of quality.   

Making the leap 

Before asking why more MSPs aren’t taking advantage of becoming MSSPs, it’s important to clarify why becoming an MSSP is worth the effort in the first place. In an increasingly turbulent market, our own research shows 80% of businesses are planning to change the way they manage their IT security over the next 12 months (opens in new tab).   

This might include switching their current service provider and ceasing outsourcing in favour of in-house resources or vice versa. Either way, it is an astonishingly high figure, showing just how much opportunity exists for MSSPs.

But what is perhaps most interesting is that 70% of these businesses would favour a potential supplier more if they were offering managed security services.

With the majority of organisations about to change the way in which they resource their security, here lies the opportunity; but only for those offering security services. 

Where the opportunities lie  

In terms of where the opportunities are coming from, there are two main sources. The first source is coming from the struggling internal teams. Out of all organisations tackling security internally, 82% are looking at outsourcing due to cost or performance. These 82% of future outsourcers constitute an enormous 49% of the entire respondent base, making those currently without a provider not only the largest potential opportunity for MSSPs, but also the easiest.  

The second source is the organisations already outsourcing security, but either planning on changing providers or switching to in-house. 63% of the market has outsourced at least part of its security function, if not all, and 51% of this group is planning on bringing this back in-house.     

Surprisingly, this 51% represents a key opportunity for MSSPs. Although those organisations are convinced they can do a better job themselves, the next step for a well-organised MSSP is to convince the target business that the problem was not with the outsourcing model, but with the incumbent’s skillset and sophistication—and then make the case for the MSSP that can satisfy the security services requirements.    

The remaining 49% of those planning on changing providers are seeking a new provider ultimately because they don’t think the incumbent is worth the spend. While this may seem to be financially driven reasoning, it is in fact down to performance. The bottom line is that organisations feel like they’re not getting enough for their money.   

More than just the wrapper    

The world as we know it is changing, especially regarding how we fight security threats. With security increasingly moving up the chain of command for organisations around the world, MSPs must be able to prove they are truly capable of offering some of the security services—not simply jumping on the MSSP band wagon.    

Nonetheless, the path to becoming an MSSP is more than just a change in title, it’s about the ability to provide strong, broad expertise in a reliable, expert, and organised manner across all technical and consulting teams; it also means having robust internal process, as well as a comprehensive technical infrastructure.    

MSSPs who have structured their business in line with security requirements are in the best possible position to take advantage of the upcoming market opportunities to gain an advantage over their competitors.     

Tim Brown, VP security Architecture at SolarWinds MSP (opens in new tab) 

Image Credit: Den Rise / Shutterstock

Tim Brown is the VP of security architecture at SolarWinds.